We’ve identified a number of spear phishing campaigns with Pakistani themed documents, likely targeting the region. These spear phishing emails use a mix of different openly available malware and document exploits for delivery. These are served from the compromised domains www.serrurier-secours[.]be and careers.fwo.com[.]pk (a part of the Pakistani army). There are some clear trends in the themes of the decoy documents the attackers chose to include with file names such as:
The first document we (and others) analysed contains a list with names of officers who are being promoted in the Pakistan Atomic Energy Commission:
This is probably a targeted attack, with a very few number of spam emails delivered to a selected bunch of people. Although the document is dated on December 2017, we’ve seen related malware dating back to June 2017. A number of these documents have been previously identified by users on Twitter.
We were surprised to find these documents drop a mix of low quality rats such as Pony and Netwire - normally more associated with ameteur attacks against banking credentials than something more targeted. As we’ve seen previously, the usage of openly available malware makes attribution difficult.
When opened, the document drops several files. Among them, an encapsulated PostScript, identified by 6f3beaca4f864a15ac5eb70391a5e9e3. The corrupted EPS tries to exploit CVE-2015-2545, which allows an attacker to execute arbitrary code allocated inside an EPS header.
In this case, the code they are trying to execute is the payload identified as c97a22cbc20c1f2237e649abee8c92fb. This is a DLL file containing a malicious remote access tool. Its capabilities include sandbox evasion, local privilege escalation and remote code execution in the infected machine.
The packet also loads multiple system functions, commonly found in Windows malware families, allowing:
Processes and files creation/destruction.
Extract system information.
Take system snapshots.
The payload check for the system version, to find out if it is vulnerable to either remote code execution or local privilege escalation. The process flow found in the scene seems to exploit CVE-2016-7255. This exploits, which allows privilege escalation on a Windows machine, is triggered by a win32k.sys call to NtSetWindowLongPtr, for the index GWLP_ID on a window handler with WS_CHILD value on GWL_STYLE attribute. This vulnerability became very popular on November 2016, after hacker group APT28 used it to perform targeted attacks. The flow of the main escalation privileges thread is described in the picture.
The program uses a call to cmd.exe /k whoami, to verify whether the RCE has worked. The final payload dropped is a sample containing the infamous Netwire RAT. We found similar purpose packages dropped by some of the other documents mentioned. The attack pattern and some other indicators, like domain names, look similar to the Revenge RAT campaign analyzed by RSA Link security researchers.
We detect the malware used in these attacks in a number of ways across the host and the network.
The AlienVault Agent is a lightweight, adaptable endpoint agent based on osquery and maintained by AlienVault. In USM Anywhere, the AlienVault Agent enables continuous endpoint monitoring, using the built-in AlienVault threat intelligence to automate endpoint queries and threat detection alongside your other network and cloud security events. This allows USM Anywhere to deliver endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities that are essential for complete and effective threat detection, response, and compliance.
The AlienVault Agent detects the following malicious activity during the attacks:
Suspicious Process Created by Microsoft Office Application
Core Windows Executable launched from Wrong Path
Network Detection Rules
ETPRO TROJAN NetWireRAT Keep-Alive
ETPRO TROJAN NetWire Variant
ETPRO TROJAN Netwire RAT Check-in
ETPRO TROJAN Fareit/Pony Downloader CnC response
ETPRO TROJAN Fareit/Pony Variant CnC Beacon
ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
USM Anywhere Correlation Rules
Detect this malware activity with the following correlation rules:
System Compromise - Malware Infection - Remote Access Trojan
System Compromise - Malware Infection - Downloader
System Compromise - Malware Infection - Dropper
System Compromise - Malware Infection - Trojan
Thanks to Chris Doman and Javvad Malik for collaboration.
Related analysis by users on Twitter
description = "Pakistani Atomic Energy Commission Spearphishing dropped DLL"
author = "Jose M Martin"
date = "2018/07/10"
hash = "027e4c6c51e315f0e49f3644af08479303a747ed55ecba5aa0ae75c27cd6efeb"
$s1 = "ExploitTagMenuState start" fullword ascii
$s2 = "ExploitTagMenuState end" fullword ascii
$s3 = "DonorThread start" fullword ascii
$s4 = "EscalateThread start" fullword ascii
$s5 = "EscalatePrivilegesOld start" fullword ascii
$s6 = "EscalatePrivilegesWow" fullword ascii
uint16(0) == 0x5A4D and filesize < 30KB and (any of them)